Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-225 | TSS0750 | SV-225r4_rule | High |
Description |
---|
The PASSWORD(NOPW) option if specified, would allow access to ACIDs capability without specifying a password. This includes all ACID types (including USER, DCA, VCA, ZCA, LSCA, SCA, and MSCA) except for structure ACIDS such as: DEPARTMENT, DIVISION, ZONE, GROUP, and PROFILE. This would cause user accountability to be lost for those ACIDs and they could conceivably possess more authority than is necessary for them to do their job. |
STIG | Date |
---|---|
z/OS TSS STIG | 2017-06-26 |
Check Text ( C-60231r4_chk ) |
---|
Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(@ALL) Automated Analysis Refer to the following report produced by the TSS Data Collection: - PDI(TSS0750) NOTE: To evaluate the PASSWORD option NOPW, the TSSCMDS and CATJ0002 jobs must be run under the MSCA's ACID. If CATJ0002 is not submitted using the MSCA's ACID, the above PDI member will not be generated. If PASSWORD(NOPW) is specified for any ACID types (USER, DCA, VCA, ZCA, LSCA, SCA, and MSCA), this is a finding. |
Fix Text (F-28424r4_fix) |
---|
Review definition of all ACID types (including USER, DCA, VCA, ZCA, LSCA, SCA, and MSCA) except for structure ACIDS such as: DEPARTMENT, DIVISION, ZONE, GROUP, and PROFILE to ensure that all ACIDs specify a password. The following command is an example of how this can be corrected. TSS REPLACE(user_ACID) PASSWORD(Text4Pwd,60) |